News:

The Book of the Diner is well worth preserving. I only wish it had reached a broader audience when it might have mattered more. That is a testament to the blindness of our culture. If there is a future to look back from, one difficult question historians will have to ask is how we let this happen, when so many saw it coming. This site has certainly aggregated enough information and critical thinking to prove that.[/b]

AuthorTopic: Did YOU get hacked in the Equifax Data Breach? (Read 1284 times)

If you did, your choices here are slim and all bad. You can do a credit freeze to stop all new credit accounts from being opened up, but if you do bizness that will make life very difficult. You can go to Equifax's website to see if you were hacked, but to do it you gotta put in most of your SS# plus your name. You're going to do this on a site that was just hacked? WTF? You can try to get info from the SS Administration to see if anyone is using your SS#. GOOD LUCK WITH THAT! You'l spend the rest of your life on the phone on hold waiting for a SSA Call Center Representative who knows nothing.

I am not worrying about it. If all my digibits disappear tomorrow, I'll still live a while on the paper FRNs I have. If somebody opens a credit account in my name, by the time they catch up to this ripoff I will be dead anyhow.

Equifax shares dropped another 16% during the day and after-hours on Wednesday to $97.51. They’ve now plunged 31%, or $44.82, in the four trading days since Equifax confessed that 143 million consumers had their data crown-jewels stolen when it was hacked. The stolen data is perfect for identity theft, such as getting a loan in your name, and tax fraud, such as getting a tax refund from the IRS in your name, with Kafkaesque consequences for you.

Investors, seeing what this might do to the company, have voted with their sell-button. Based on the 120.4 million shares outstanding as of June 30, the four-trading-day loss amounts to $5.4 billion.

The stink has been enormous, with Equifax having to back down from some of its most egregious solutions to this problem, including forcing consumers to give away their legal right to sue in order to sign up for its credit protection services. Buckling under scathing criticism, Equifax rescinded this requirement over the weekend.

Equifax will still try to twist this offer of “free” credit protection into a profit opportunity. Once your social security number, date of birth, and other data that hackers obtained is out there, you’re vulnerable to identity theft for the rest of your life, and you need to protect yourself for the rest of your life. But Equifax is just offering the first year for free, hoping that you’ll continue the service and pay its annual fee for the rest of your life.

Dozens of lawsuits have already been filed. Equifax will be attacked from all directions, including shareholder class-action lawsuits and consumer lawsuits. Congress has gotten interested in it, and two committees are planning hearings.

But the Wall Street hype continues. All 16 analysts tracked by Bloomberg that follow Equifax have either reiterated their bullish rating on the company, or have not altered their rating, and some have exhorted their clients to buy more.

JP Morgan Chase analyst Andrew Steinerman said that based on his conversation with Equifax executives, the financial impact would be isolated to the company’s business-to-consumer segment, which accounts for about 7% of total revenue. Based on the revenue consensus of $3.40 billion for 2017, it would impact only about $238 million in revenue, according to MarketWatch. So no big deal?

When OPM (Office of Poor Management) okay, Office of Personnel Management in the good'ol US Government was hacked some years ago, my personal information was stolen as well as millions or current and former government employees. I signed up for a bunch of credit monitoring things that OPM paid for, at least for a few months or a year or two. Nothing has come of it at least as of yet. I felt the same way about this latest event. Sending more personal information out into the system to see if you were hacked didn't sound like a great idea...

When OPM (Office of Poor Management) okay, Office of Personnel Management in the good'ol US Government was hacked some years ago, my personal information was stolen as well as millions or current and former government employees. I signed up for a bunch of credit monitoring things that OPM paid for, at least for a few months or a year or two. Nothing has come of it at least as of yet. I felt the same way about this latest event. Sending more personal information out into the system to see if you were hacked didn't sound like a great idea...

Agreed. Sounds like doubling down on a bad bet. But at least Equifax was astute enough to ask themselves, "How can we make money long term on ratfucking our customer base?"

The insiders had the short-term covered when they dumped company stock in advance of the news release.

I will write about it later today, it's Monday though Saturday for 4 weeks. I've got a couple more hours today. I will start a thread later today when I'm back at the hotel. So far so good though👍🏻👍🏻👍🏻

It's a pain in the ass and the fact you need to reveal confidential information to a company that was already hacked just to find out if you are one of the compromised customers is a kick in the balls. Saying that is there an equivalent of CIFAS in America? CIFAS (Credit Industry Fraud Avoidance System) is a voluntary anti-fraud organization and what it can do, in the event of fraud or previous history of identity theft, is provide contact to you personally should anyone attempt a credit check under your name. The down shot is any credit application such as a loan, credit card, mortgage or even account opening is more likely to be put on hold for longer to perform the necessary additional security checks to prevent fraud.

Shares of Equifax dropped another 4% today, including after-hours, to $92.70. They’re now down 35%, or $50, from the happier era that ended at 5pm EST on September 7, with the confession that it had found out six weeks earlier that the most crucial personal data – “primarily names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers” – of 143 million consumers had been stolen.

This was promptly followed by chaos and egregious missteps, such as trying to profit from its victims. So far, at 120.4 million shares outstanding as of June 30, the six trading days have cost investors $6 billion. No one cares about consumers. They’re just the product. But $6 billion matter.

Now heads are rolling. Oh no, not CEO Richard Smith. He is not leaving the company to spend more time with his family. Instead, Equifax announced Friday evening that it sacked two lower level executives. I mean, not sacked. Chief information officer, David Webb, and chief security officer, Susan Mauldin, “are retiring,” it said, “effective immediately.”

And they had it coming.

Much was made of Mauldin’s degrees in music. But for a person her age, and with as much corporate experience as she had, college is irrelevant. Gates, Jobs, and Zuckerberg didn’t even graduate from college. What matters is how they perform their work.

And they failed to patch a vulnerability in Apache Struts, an open-source and therefore free software. The vulnerability had been “identified in early March” but wasn’t patched. The hack occurred from May 13 through July 30, 2017.

According to Equifax Friday evening:

The attack vector used in this incident occurred through a vulnerability in Apache Struts (CVE-2017-5638), an open-source application framework that supports the Equifax online dispute portal web application.

Equifax’s Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.

While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing.

ArsTechnica was a little clearer:

The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on Web servers. Five days after that, the exploits showed few signs of letting up. Equifax has said the breach on its site occurred in mid-May, more than two months after the flaw came to light and a patch was available.

After this software fiasco, two other people were promoted into those slots, both from within Equifax’s vaunted IT operations, now best known for not patching their Apache Struts software. The statement:

Mark Rohrwasser has been appointed interim Chief Information Officer. Mr. Rohrwasser joined Equifax in 2016 and has led Equifax’s International IT operations since that time.

Russ Ayres has been appointed interim Chief Security Officer. Mr. Ayres most recently served as a Vice President in the IT organization at Equifax. He will report directly to the Chief Information Officer.

The statement also said that the company “is fully committed to proactively supporting consumers who may have been impacted by the cybersecurity incident.”

Yup. So a day or two ago, Equifax changed its page for initiating a “security freeze” to make it a lot harder for consumers to get a security freeze (aka credit freeze).

Credit bureaus are required to offer a security freeze. But they’re not required to make it easy. Credit bureaus sell consumer data to other companies. When you try to open an account at a bank or credit card company, that company will check your credit worthiness via the data obtained from credit bureaus. If someone obtains your data that was stolen from Equifax, he can open an account in your name and borrow money in your name, and you get to fend off the creditors when they chase after their money, and your credit will be ruined too.

Identity theft is a nightmare to resolve. The best prevention is putting a security freeze at the three major credit bureaus: Equifax, TransUnion, and Experian.

A credit freeze makes this form of identity theft nearly impossible because banks and credit card companies that cannot verify the applicant’s credit history will not open a new account. And since your stolen data will be out there forever, you need to protect yourself for the rest of your life.

But to make it even harder to obtain a security freeze, Equifax put a huge distracting red button on the top center of the security-freeze page. It takes you to a page full of other stuff where a security freeze is mentioned only at the bottom, but without link.

This is what the devious button looks like that you do not want to click:

Instead, scroll past the devious red button. Now the security-freeze section appears that used to be at the top. And it provides the appropriate link. But most people will never see it because they were deceived by the devious red button.

Under withering pressure and allegations of profiteering from its victims’ plight, Equifax announced that credit freezes will be free until November 21, and that consumers who paid for it starting at 5pm EST on September 7 will receive a refund.

TransUnion has become even more devious in trying to prevent consumers from initiating a security freeze and denting its revenues. Its old credit-freeze page that I’d linked in my September 7 article — and that subsequently major media outlets and State Attorneys General linked in their communications – was changed a couple of days ago.

Now that page goes through all kinds of blah-blah-blah. You have to scroll all the way down to get to the very last paragraph to find the first mention of a “credit freeze” and the new link where you can initiate the credit freeze. But even on that “credit-freeze2” page, TransUnion is trying to talk you into a “security lock” instead.

Experian has not yet changed its security freeze page.

This deviousness is a sign these companies are terrified that a mass credit freeze will hit their revenues and shares. And this isn’t a short-term blip. This is for life.

It's a pain in the ass and the fact you need to reveal confidential information to a company that was already hacked just to find out if you are one of the compromised customers is a kick in the balls. Saying that is there an equivalent of CIFAS in America? CIFAS (Credit Industry Fraud Avoidance System) is a voluntary anti-fraud organization and what it can do, in the event of fraud or previous history of identity theft, is provide contact to you personally should anyone attempt a credit check under your name. The down shot is any credit application such as a loan, credit card, mortgage or even account opening is more likely to be put on hold for longer to perform the necessary additional security checks to prevent fraud.

If it's a pain the ass, why do you continue to feed the beast.Exit the matrix....

I know exactly what you mean. Let me tell you why you’re here. You’re here because you know something. What you know you can’t explain, but you feel it. You’ve felt it your entire life, that there’s something wrong with the world.You don’t know what it is but its there, like a splinter in your mind

(Reuters) - Uber Technologies Inc paid hackers $100,000 to keep secret a massive breach last year that exposed the personal information of about 57 million accounts of the ride-service provider, the company said on Tuesday.

Discovery of the U.S. company’s cover-up of the incident resulted in the firing of two employees responsible for its response to the hack, said Dara Khosrowshahi, who replaced co-founder Travis Kalanick as CEO in August.

"None of this should have happened, and I will not make excuses for it," Khosrowshahi said in a blog post. (ubr.to/2AmxlQt)

The breach occurred in October 2016 but Khosrowshahi said he had only recently learned of it.

The hack is another controversy for Uber on top of sexual harassment allegations, a lawsuit alleging trade secrets theft and multiple federal criminal probes that culminated in Kalanick’s ouster in June.

The stolen information included names, email addresses and mobile phone numbers of Uber users around the world, and the names and license numbers of 600,000 U.S. drivers, Khosrowshahi said.

Uber passengers need not worry as there was no evidence of fraud, while drivers whose license numbers had been stolen would be offered free identity theft protection and credit monitoring, Uber said.

Two hackers gained access to proprietary information stored on GitHub, a service that allows engineers to collaborate on software code. There, the two people stole Uber’s credentials for a separate cloud-services provider where they were able to download driver and rider data, the company said.

A GitHub spokeswoman said the hack was not the result of a failure of GitHub’s security.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said.

“We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

Bloomberg News first reported the data breach on Tuesday.

Khosrowshahi said Uber had begun notifying regulators. The New York attorney general has opened an investigation, a spokeswoman said.FILE PHOTO: The logo of Uber is seen on an iPad, during a news conference to announce Uber resumes ride-hailing service, in Taipei, Taiwan April 13, 2017. REUTERS/Tyrone Siu/File Photo -

Regulators in Australia and the Philippines said on Wednesday they would look into the matter. Uber is seeking to mend fences in Asia after having run-ins with authorities, and is negotiating with a consortium led by Japan’s SoftBank Group (9984.T) for fresh investment. SoftBank declined to comment.

Uber said it had fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, this week because of their role in the handling of the incident. Sullivan, formerly the top security official at Facebook Inc (FB.O) and a federal prosecutor, served as both security chief and deputy general counsel for Uber.

Sullivan declined to comment when reached by Reuters. Clark could not immediately be reached for comment.

Kalanick learned of the breach in November 2016, a month after it took place, a source familiar with the matter told Reuters. At the time, the company was negotiating with the U.S. Federal Trade Commission over the handling of consumer data.

A board committee had investigated the breach and concluded that neither Kalanick nor Salle Yoo, Uber’s general counsel at the time, were involved in the cover-up, another person familiar with the issue said. The person did not say when the investigation took place.The chief executive of Uber Technologies Inc, Dara Khosrowshahi attends a meeting with Brazilian Finance Minister Henrique Meirelles (not pictured) in Brasilia, Brazil October 31, 2017. REUTERS/Adriano Machado

Uber said on Tuesday it was obliged to report the theft of the drivers’ license information and had failed to do so.

Kalanick, through a spokesman, declined to comment. The former CEO remains on the Uber board of directors, and Khosrowshahi has said he consults with him regularly.CRIME PAYS

Although payments to hackers are rarely publicly discussed, U.S. Federal Bureau of Investigation officials and private security companies have told Reuters that an increasing number of companies are paying criminal hackers to recover stolen data.

“The economics of being a bad guy on the internet today are incredibly favorable,” said Oren Falkowitz, co-founder of California-based cyber security company Area 1 Security.

Uber has a history of failing to protect driver and passenger data. Hackers previously stole information about Uber drivers and the company acknowledged in 2014 that its employees had used a software tool called “God View” to track passengers.

Khosrowshahi said on Tuesday he had hired Matt Olsen, former general counsel of the U.S. National Security Agency, to restructure the company’s security teams and processes. The company also hired Mandiant, a cybersecurity firm owned by FireEye Inc (FEYE.O), to investigate the breach.

The new CEO has traveled the world since replacing Kalanick to deliver a message that Uber has matured from it earlier days as a rule-flouting startup.

“The new CEO faces an unknown number of problems fostered by the culture promoted by his predecessor,” said Erik Gordon, an expert in entrepreneurship and technology at the University of Michigan’s Ross School of Business.

Reporting by Jim Finkle in Toronto and Heather Somerville in San Francisco; Additional reporting by Joseph Menn and Stephen Nellis in San Francisco, Manolo Serapio Jr in Manila, Byron Kaye in Sydney, and Sam Nussey in Tokyo; Editing by Lisa Shumaker and Stephen Coates

Yesterday, we discovered that funds were improperly removed from the Tether treasury wallet through malicious action by an external attacker. Tether integrators must take immediate action, as discussed below, to prevent further ecosystem disruption.

Disappeared: $31 million in tether tokens. This was reported Monday night by Tether, the company behind the cryptocurrency “tether,” with a market capitalization of $673 million, according to CoinMarketCap. The value of tether, which is “tethered” to the US dollar, continued to hover around $1.

But bitcoin plunged 5% and then recovered. Tether is used is used as a medium to transfer cryptocurrencies to other exchanges in other countries without using the dollar and without using banks.

The hack had taken place on November 19, Tether said. The tokens were sent to an “unauthorized bitcoin address.” The company said it’s trying to prevent the stolen tokens from being converted into dollars or enter “the broader ecosystem.”SPONSORED CONTENTBitcoin just keeps climbing and is here to stay, but how can average investors jump in? Special Report HereBitcoin just keeps climbing and is here to stay, but how can average investors jump in? Special Report Hereby Promethean Marketing Inc

Sure, there are thefts of all currencies. But there’s a difference. When someone steals money from your bank account by hacking into the bank, the bank is responsible and makes you whole. When someone hacks into a cryptocurrency, no one covers it.

These hacks of cryptocurrencies are just about as old as cryptocurrencies themselves. In June, 2011, a user named ALLINVAIN made off with 25,000 bitcoins, at the time valued at $775,000, today valued at $200 million. It went on from there.

The biggest hack remains Mt. Gox, which at the time was handling 70% of the global bitcoin transactions. The exchange, located in Tokyo, revealed the hack in February 2014. Apparently 650,000 bitcoins ($473 million at the time) had disappeared over a period of several years. At today’s prices, the hack would have amounted to $5.2 billion.Here are some of the major cryptocurrency hacks:

The hacker was able to break into Enigma’s website, Slack group, and mailing list and sent fraudulent messages to the project’s community asking for money. This allowed the hacker to gather almost 1,500 Ether (about $500,000). This is despite a previous warning by Enigma that it would not collect money in this way until its ICO in September.

July 2017, Veritaseum’s Ether wallet hacked, about $8 million stolen after its ICO on May 26th. Store of Value:

n July 23rd, Middleton [founder Reggie Middleton of the Boom Bust Blog] claimed in Veritaseum’s Slack group that hackers stole 36,000 VERI tokens out of a wallet held by the company. This is how Middleton described the hack: “The hackers thwarted 2FA, on two different accounts, and finagled 3rd parties security among several other things. They went through quite a bit of effort, alas going through that much effort caused them to leave a bread crumb trail as well. I hate thieves.”

July 2017, Parity Multisig Wallet was hacked, according to ParityTech. “A vulnerability in the Parity Wallet library contract of the standard multi-sig contract has been found,” the company said. Via this vulnerability, hackers drained 153,037 Ether ($32 million) from three multi-signature contracts that were used to store funds from prior ICOs (Swarm City, Edgeless Casino, and æternity).

July 2017, Bithumb, the world’s fourth largest Bitcoin exchange and largest Ether exchange, was hacked, according to Hacker News. Claims “started to surface” that “billions of won” disappeared from compromised accounts at the Korean exchange. At the time, actual loss data remained unclear.

CoinDash is an Israeli startup that conducted an ICO in July of this year to raise funds. However, just 13 minutes into the crowdsale, a hacker was able to change the Ethereum address posted on the ICO’s website. This address is where interested investors should send their Ether to in order to receive CoinDash tokens in return.

October 2016, Bitcurex, a bitcoin trading platform in Poland, suddenly shut down. A few days later, it posted a notice on the otherwise dead site that an update had gone awry and asked customers to be patient. January 2017, the owner of the exchange “disappears,” as the exchange remained shut down and its 2,300 bitcoins ($2.6 million) are gone. Polish authorities started investigating.

August 2016, Bitfinex, which doesn’t even disclose where it is located (it’s incorporated in the British Virgin Islands at a mailbox address and files some paperwork in Hong Kong), was hacked again, after its May 2015 hack. This time, 119,756 bitcoins were stolen ($72 million), at the time the second largest heist, after Mt. Gox. The exchange is the world’s largest dollar-based bitcoin exchange. The same people that own Bitfinex set up Tether, also in the British Virgin Islands, a fact that became known via the leaked “Paradise Papers.”

July 2016, social media blockchain Steemit was hacked, 260 accounts compromised, and $85,000 in Steem and Steem Dollars stolen.

June 2016, Ethereum project Decentralized Autonomous Organization (DAO) was hacked, “more than 3,600,000 ether” ($72 million at the time) were stolen. Hackers had exploited a known vulnerability. CoinDesk explains:

Unfortunately, while programmers were working on fixing this and other problems, an unknown attacker began using this approach to start draining The DAO of ether collected from the sale of its tokens.

May 2016, Gatecoin, a Hong Kong based exchange, was hacked. It claimed it lost 250 bitcoins and 185,000 Ether, about $2.14 million at the time.

March 2016, Canada-based Cointrader shut down after an audit showed “a deficiency of bitcoin.”

March 2016, ShapeShift which on its site claims to be “the safest, fastest asset exchange on Earth” was hacked three times in a two-week period. Each time, the hot wallets were cleaned out. Disappeared: 469 bitcoins, 5,800 Ether, 1,900 Litecoins ($230,000 in total).

January 2016, Cryptsy claimed it had been hacked and shut down. Disappeared: about $6 million in bitcoin and Litecoin. In August 2016, CoindDesk reported:

Cryptsy CEO Paul Vernon may have stolen as much as $3.3 million from the now-defunct digital currency exchange and destroyed evidence of his illicit actions. That’s according to new court documents from the ongoing class action lawsuit filed against the troubled industry exec.

May 2015, Bitfinex announced that it was hacked and its “hot wallet might have been compromised.” Turns out, 1,500 bitcoin (at the time $350,000) were stolen.

January 2015, Bitstamp was hacked after a phishing expedition that targeted employees, as was later revealed. In total, 18,866 bitcoins ($4.3 million at the time) were stolen.

January 2015, BTer in China was hacked, 7,170 bitcoins ($1.8 million at the time) were stolen.

January 2015, KipCoin in China was hacked, about 3,000 bitcoins were stolen ($800,000 at the time).And there more: